Ken's picture

Hi everyone,

I have Plan to run Turnkey Nextcloud on Proxmox Container. My proxmox server has only one Public IP

At this time proxmox server has 2 Linux Bridge : vmbr0 set Public Ip , vmbr1 for LAN : 192.168.10.1/24 . I configured NAT on /etc/network/interface and the internal VMs and CTs can access Internet normally. 

auto vmbr1
iface vmbr1 inet static
    address 192.168.10.1
    netmask 255.255.255.0
    bridge-ports none
    bridge-stp off
    bridge-fd 0

    # 1. Enable forwarding
    post-up echo 1 > /proc/sys/net/ipv4/ip_forward

    # 2a. Allow VMs to reach outside world using NAT addresses
    post-up iptables -t nat -A POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE
    post-down iptables -t nat -D POSTROUTING -s '192.168.10.0/24' -o vmbr0 -j MASQUERADE
    
    # 2b. Allow NAT working with the built-in firewall
        post-up   iptables -t raw -I PREROUTING  -i fwbr+ -j CT --zone 1
        post-down iptables -t raw -D PREROUTING  -i fwbr+ -j CT --zone 1

I have a domain that pointed to Proxmox Server Ip (i can access normally to proxmox server with this domain : https://mydomain.com:8006), so my question is how should i config to connect also to my Nexcloud Container from Internet with this domain ?

Forum: 
Jeremy Davis's picture

This sort of thing is not my speciality, but by my understanding, the "best practice" way of doing this sort of stuff is to have a single server (I'd recommend a full VM) in a DMZ (and outside your LAN IP range and your local firewall). Have your router configured so that all incoming connections can ONLY reach this server. So essentially this server is the only thing that can be contacted from the internet - unless the connection was initiated from a PC (virtual or otherwise) within your LAN.

Then configure this "public" server to act as a reverse proxy. Personally, I like Nginx for this purpose, but there are lots of other options. Configure your reverse proxy to respond to the desired domain name(s) and to ignore any other connection attempts. Configure the reverse proxy to forward the desired subdomains and/or ports to the relevant servers within your LAN. Configure specific rules in your firewall to only allow the "public" server to connect to the specific servers on the specific ports (and nothing else).

Using this sort of model, you could define a subdomain for your Proxmox instance instead if you wanted (e.g. https://pve.mydomain.com rather than https://mydomain.com:8006) and you could assign a subdomain for your nextcloud instance too, e.g. nextcloud.mydomain.com

I've personally only ever used reverse proxying to reroute traffic like your trying to do, although in theory, I'm sure that it should also be possible via firewall rules (so long as each service uses a unique port). My assumption on that is that you would essentially replicate the existing config that you have to forward port 8006 to your Proxmox host, but instead forward port 443 (default HTTPS) or some other custom port you'd rather use.

I hope that helps...

Add new comment